Privacy Policy
The company BHT, UNIPESSOAL LDA., with registered office at Rua de Carvalha, nº 570, 2400 - 441 Leiria, registered at the Commercial Registry Office of Leiria, under the registration number 515724637, with a share capital of €5,000.00 (hereinafter “BHT” or “Data Controller”) is responsible as data controller for the processing of personal data collected through the website www.bhout.com (“Website”), the BHT mobile application (“App”), or in the context of other interactions with its customers and users.
BHT has appointed a Data Protection Officer ("DPO") who can be contacted via email at privacy@bhout.com.
BHT is committed to protecting the privacy and personal data of its clients and users and has therefore developed and adopted this privacy policy and the practices described herein (the “Privacy Policy”). This Privacy Policy sets out how personal data is collected and processed, and, therefore, we recommend that this document is read carefully.
1. What is the purpose of this Policy?
1.1. The purpose of this Privacy Policy is to provide a transparent explanation of the procedures by which we collect and process the personal data of users of the Website and the App, as well as of our clients, in strict compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter, “GDPR”) and further applicable law.
1.2. The terms used in this Privacy Policy shall have the meaning assigned to them under the GDPR, unless expressly stated otherwise.
2. What is personal data?
2.1. Personal data refers to any information relating to an identified or identifiable natural person (“Data Subject”), regardless of the nature and the medium of such information, including sound and image.
2.2. By way of example, personal data shall include the following: full name, address, telephone number, email address and tax identification number, among others.
2.3. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name, identification number, location data, an online identifier) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2.4. The data protection principles provided in the applicable legislation shall apply, namely, lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and proactive accountability.
3. What are the purposes, lawfulness and retention periods for the processing of Personal Data?
3.1. The processing of personal data is carried out, pursuant to Article 6 of the GDPR, on the following legal bases, for the following purposes and during the following retention periods:
| PURPOSE |
Legal Basis |
Retention Period |
| Access to and use of our services and management of the contractual relationship (including registration on the Website and the App, subscription and booking of classes, and connection to the BHOUT BAG). |
Performance of the contract
Consent (for sensitive data) |
For the duration of the contract and for a period of two years after the last interaction with the client. |
| Management of bookings, usage and entries at BHOUT CLUB |
Pre-contractual procedures and performance of the contract |
Up to 1 year after the class/booking has taken place |
| Technical support in the use of our services |
Performance of the contract
Legitimate interest (maintenance and security of accounts and access) |
For 12 months after collection of personal data |
| Management and customer service |
Performance of the contract/Legitimate interest (responding to enquiries from clients or prospective clients) |
For the duration of the contract and up to two (2) years after its last interaction |
| Subscription to and maintenance of insurance policies. |
Compliance with a legal obligation of BHOUT |
While our services and/or products are being used |
| Accounting and invoicing |
Performance of the contract
Compliance with a legal obligation of BHOUT |
10 years after use of personal data |
| Partnerships (Registration and scheduling of clients/classes through partners) |
Performance of the contract
Legitimate interests of BHOUT (development of commercial partnerships and customer acquisition) |
During the term of the subscription/contract with the partner and while the client uses the partner's services |
| Community development and competition, namely through the disclosure of scores in BHOUT CLUB and in the App |
Legitimate interests of BHOUT (gamification / development of the BHOUT concept) |
BHOUT CLUB: Only during the display
App: for 1 year after collection |
| Technical feedback |
BHOUT's legitimate interests (providing a better customer experience and assisting with technical improvements) |
In real time, the data used for this purpose is not retained |
| Credit recovery in the event of infringement |
Legitimate interests of the controller (debt collection)
Compliance with a legal obligation of BHOUT |
Until recovery or extinction of the debt + 5 years |
| Immediate customer support at BHOUT CLUBs |
Legitimate interests of BHOUT (customer support and digitization of entries/promotion of the BHOUT concept) |
The personal data used is not retained by BHOUT |
| Video surveillance |
Legitimate interests of the data controller (protection of persons and property) |
For 30 days after collection |
| Selection and analysis of candidate employees and interviews |
Pre-contractual due diligence and performance of the contract |
Until the application is rejected
In the case of an application for a specific advertised vacancy: until the deadline for filling the vacancy
In the case of unsolicited applications: up to 6 months after receipt of the application |
| Retention of applications for review and selection for future vacancies |
Consent |
Up to 1 year after receipt of application |
| Diret Marketing |
Consent/Legitimate Interest (to promote our services and products) |
Until consent is withdrawn or until you express your objection to receiving commercial communications or until 24 months after the client's last interaction with BHOUT |
| Execution and management of campaigns through social media |
Legitimate interests of BHT (managing and optimizing digital marketing campaigns, improving the effectiveness of promotional activities and the user experience) |
Until the client oposes such processing or 24 months after the client's last interaction with BHOUT |
| Management and improvement of websites and applications |
Legitimate Interest (development and improvement of our services and products)/Consent (cookies) |
For as long as the data subject uses our services and/or products and for 6 months further
Until consent is withdrawn, or 12 months after collection of consent |
| Business Analysis |
Legitimate Interest (knowledge and development of our business) |
For as long as our services and/or products are used, and after that for 2 years after the client's last interaction with BHOUT |
| Security and Fraud Prevention |
Legitimate Interest (to prevent fraud and ensure the security of the systems and networks used) |
For as long as the data subject uses our services and/or products |
| Development of Products and Services |
Legitimate Interest (development and improvement of our services and products)/ Consent (cookies) |
For as long as our services and/or products are used, and until consent is withdrawn. |
| Franchise Network Management |
Legitimate Interest (to enable the provision of services and control of the business) |
For as long as our services and/or products are used, throughout the duration of the contract |
| Establishment, exercise or defense of legal claims |
Legitimate Interest (preservation of evidence and enabling defense in judicial or similar proceedings) |
For the applicable statutory limitation period |
3.2. Where the processing of data is based on consent, the data subject may withdraw such consent at any time, without affecting the lawfulness of the processing carried out prior to its withdrawal.
3.3. Where we rely on legitimate interest, we carry out a proportionality assessment to ensure that our interests are not overridden by the fundamental rights and freedoms of data subjects.
3.4. Personal data collected for purposes where the legal basis is the performance of the contract are necessary for the conclusion and performance of the contract between BHOUT and the Data Subject.
3.5. The frequency of messages for direct marketing purposes may vary depending on the type of communication and services selected.
3.6. In the case of Data Subjects that use our services through BHT’s partners, personal data is collected through the partners.
4. Categories of Personal Data Processed
4.1. The categories of personal data we collect include:
| CATEGORY |
SPECIFIC DATA |
| Identification Data |
Full name, date of birth, gender, photograph |
| Contact Data |
Email address, phone number, postal address |
| Billing Data |
Tax identification number, payment details, purchase history |
| Usage Data |
Training history, user preferences, comments and feedback |
| Technical Data |
IP address, browser type, operating system |
| Professional Data |
CV, Professional experience (for applications) |
| Health Data |
Weight (with explicit consent) |
4.2. We apply the data minimization principle, collecting only the data that is strictly necessary for the specific purpose.
5. How do we protect your personal data?
5.1. We implement appropriate technical and organizational measures to protect your personal data, including:
a) Technical measures:
• Data encryption in transit (TLS/SSL);
• Secure password storage (one-way hashing);
• Firewalls and intrusion detection systems;
• Regular backups and recovery plans; and
• Regular security updates and patches.
b) Organizational measures:
• Role-based access control and need-to-know principle;
• Regular staff training on data protection;
• Confidentiality agreements with employees and third parties;
• Internal information security policies; and
• Regular security audits and reviews.
5.2. Our service providers and data processors are carefully selected and are contractually required to implement appropriate security measures.
5.3. Despite the measures adopted, no system is completely infallible. In the event of a personal data breach, we will comply with the provisions of GDPR.
5.4. We recommend that users also take measures to protect their personal information, such as:
• Keep your login credentials confidential;
• Use strong and unique passwords;
• Log out after using the services;
• Immediately report any unauthorized use or suspected security breach.
6. What are your rights and how can you exercise them?
6.1. As a data subject, you have the following rights:
a) Right of access (Art. 15 GDPR): to obtain confirmation as to whether personal data concerning you is being processed, and to access such data;
b) Right to rectification (Art. 16 GDPR): to request the correction of inaccurate or incomplete personal data;
c) Right to erasure (right to be forgotten) (Art. 17 GDPR): to request the deletion of your data when it is no longer necessary for the purposes for which it was collected, or when you withdraw your consent;
d) Right to restriction of processing (Art. 18 GDPR): to request that we restrict the processing of your data in certain circumstances (e.g., when you contest its accuracy);
e) Right to object (Article 21 GDPR): to object to the processing of your data on grounds relating to your situation. You may also object at any time to the processing of your data for direct marketing purposes.
f) Right to data portability (Art. 20 GDPR): to receive your data in a structured, commonly used and machine-readable format, and to transmit it to another controller;
g) Right not to be subject to automated decision-making (Art. 22 GDPR): not to be subject to decisions based solely on automated processing, including profiling, except where legally permitted; and
h) Right to withdraw consent: you may withdraw your consent at any time, without affecting the lawfulness of processing based on consent prior to its withdrawal.
6.2. You may exercise these rights free of charge by submitting a request through the email: [privacy@bhout.com]
6.3. If you believe that your right to personal data protection has been violated, you may file a complaint with the Portuguese Data Protection Supervisory Authority:
Comissão Nacional de Proteção de Dados (CNPD)
• Website: www.cnpd.pt
• Email: geral@cnpd.pt
• Telephone: 213 928 400
7. When is personal data disclosed to third parties?
We may disclose your personal data to the following categories of recipients::
a) Communications management service providers based in the United States of America;
b) Appointment scheduling and booking and payment management service providers based in Ireland;
c) Storage service providers based in Portugal and Ireland;
d) Providers of communications, marketing and connection services, based in the United Kingdom, Germany and the United States of America;
e) Customer acquisition partners, based in Portugal and Spain;
f) Video surveillance service providers, based in Portugal;
g) Accounting and invoicing service providers, based in Portugal;
h) Banking service providers, based in Portugal and Lithuania;
i) Social networks, based in Ireland;
j) Insurance companies, based in Portugal;
k) Legal service providers, based in Portugal;
l) Public authorities, based in Portugal.
8. Data Transfers to Third Countries
8.1. Your personal data may be transferred to countries outside the European Economic Area (EEA) only when:
a) the European Commission has adopted an adequacy decision in relation to the recipient country;
b) appropriate safeguards have been implemented, such as:
• Standard Contractual Clauses approved by the European Commission;
• Binding Corporate Rules (BCRs); and
• Approved certifications or codes of conduct.
c) One of the exceptions provided for in Article 49 of the GDPR applies.
8.2. You may request information regarding such data transfers and obtain a copy of the safeguards implemented by contacting us at the following email address privacy@bhout.com.
9. Special categories of data
9.1. Special categories of data (sensitive data) include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life, or sexual orientation.
9.2. Generally, we do not collect special categories of data. The exception is the collection of weight (health data) for the purposes of registering on the App and participating in games and competitions within BHOUT, as this data is necessary to identify the category to which the data subject belongs for competition purposes. The processing of this personal data is carried out on the basis of the data subject's consent. The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not compromise the lawfulness of processing based on consent given previously given.
9.3. In addition to the foregoing, other circumstances may also justify such processing under Articles 9(2)(h) or 9(2)(i) of the GDPR.
9.4. This data is subject to specially protected processing and is safeguarded by additional security measures.
10. Changes to the Privacy Policy
10.1 This Privacy Policy may be modified at any time at the discretion of the Controller, who reserves the right to introduce any changes deemed appropriate, such changes will be published on the Website/App or, in the case of material changes, the Data Subjects will be duly notified.
10.2 We maintain an archive of previous versions of this Policy.
11. Our contact details
11.1 For any matters related to this Privacy Policy or the processing of your personal data:
• Data Controller: BHT, Unipessoal Lda.
• Email address: privacy@bhout.com[CCA1.1]
• Adress: Rua de Carvalha, nº 570, 2400-441 Leiria
Date of Last Update: March, 26th, 2026
